main: sandbox: Add clone vow, Use exile_vows_from_str()

Fresh ubuntu 22.04 uses clone3(). thread vow is not enough anymore.

Maybe Qt uses it now, who knows, let's just allow it for the time being.
This commit is contained in:
Albert S. 2022-04-22 08:06:03 +02:00
parent e3440beae7
commit 4d0d9ba9c6

View File

@ -31,11 +31,7 @@ void enableSandbox(QString socketPath)
std::string sockPath = socketPath.toStdString(); std::string sockPath = socketPath.toStdString();
policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER; policy->namespace_options = EXILE_UNSHARE_NETWORK | EXILE_UNSHARE_USER;
policy->vow_promises = EXILE_SYSCALL_VOW_THREAD | EXILE_SYSCALL_VOW_CPATH | EXILE_SYSCALL_VOW_WPATH | policy->vow_promises = exile_vows_from_str("thread cpath wpath rpath unix stdio prot_exec proc shm fsnotify ioctl clone");
EXILE_SYSCALL_VOW_RPATH | EXILE_SYSCALL_VOW_UNIX | EXILE_SYSCALL_VOW_STDIO |
EXILE_SYSCALL_VOW_PROT_EXEC | EXILE_SYSCALL_VOW_PROC | EXILE_SYSCALL_VOW_SHM |
EXILE_SYSCALL_VOW_FSNOTIFY | EXILE_SYSCALL_VOW_IOCTL;
if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0) if(exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_REMOVE_FILE, "/") != 0)
{ {
qCritical() << "Failed to append a path to the path policy"; qCritical() << "Failed to append a path to the path policy";